Onehalf
   
   
     _________________________________________________________________
   
   While infecting the hard drive "OneHalf" checks the Partition Table,
   looks for the last DOS partition - DOS logical disk
   (FAT-12/FAT-16/BIGDOS), or extended partition, and calculates the
   first and last cylinders numbers of that disk/extended partition.
   
   It saves the pointer to the last cylinder at offset 29h in the HD MBR.
   On each booting from the HD the virus decreases that pointer by two,
   and encrypts two cylinders to where that pointer points. On first
   booting from the HD the virus encrypts the last two cylinders, on the
   next booting - plus 2 from the end, and so on. So on working the
   "spot" at the end of the last logical disk/partition grows on 2
   cylinders on each booting.
   
   When this "spot" reaches the middle of the disk/partition, the virus
   may display (according to other conditions: on 4th, 8th, 12th, 16th,
   20th, 24h and 28th of each month, and if the generation of the virus
   is even):

 Dis is one half.
 Press any key to continue...

   After loading into the system memory the virus decrypts/encrypts these
   sectors "on-the-fly", and the corrupted sectors appear in their
   original form, but after disinfection all the encrypted data is lost.
   
   P.S. The next AVP weekly update (UP950424.ZIP) will decrypt such
   disks on disinfection of the OneHalf (both variants) virus.
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
